Here are the key points from the article:

1. **New Malware – Spica**: This new backdoor malware is being used in phishing campaigns. It masquerades as a PDF decryption tool, named “Proton-decrypter.exe,” which is offered to victims who receive seemingly encrypted PDF documents via email.

2. **Phishing Tactics**: The attackers impersonate individuals affiliated with the targets and send PDF documents that appear to be encrypted. When recipients reply that they can’t read the documents, they are sent a link to download the fake decryption tool.

3. **Functionality of Spica**: Once installed, Spica, a Rust-based malware, can execute shell commands, steal cookies from browsers like Chrome, Firefox, Opera, and Edge, and manage file uploads and downloads.

4. **Persistence Mechanism**: Spica establishes persistence on compromised devices using a scheduled task named ‘CalendarChecker’, created through an obfuscated PowerShell command.

5. **Google’s Response**: Google’s Threat Analysis Group (TAG) has added all domains, websites, and files used in these attacks to its Safe Browsing phishing protection service. They have also alerted Gmail and Workspace users targeted in these attacks.

6. **Background of ColdRiver**: Also known as Callisto Group, Seaborgium, and Star Blizzard, ColdRiver has been active since late 2015. They are known for their open-source intelligence (OSINT) and social engineering skills and have been linked to Russia’s FSB.

7. **U.S. State Department’s Action**: Since December 2023, the U.S. State Department has offered rewards of up to $10 million for information leading to the identification or location of ColdRiver threat actors.